1. Field of the Invention
This invention is related to the protection of digital information in various forms from unauthorized distribution, use or modification. The protective systems and methods described herein are intended to detect or prevent successful deployment and utilization of many of the tools and techniques of such unauthorized use when applied to executable content, or other digital content, on a computing device.
2. Description of the Related Art
The digital content industry has been aware for some time of the problem of unauthorized use and distribution of digital content and unauthorized subversion of control mechanisms designed to control the distribution of such content. Such control mechanisms take the form of protective systems that control the installation or usage of such content. The control mechanisms may authenticate locally and/or remotely, and may refuse to allow the usage of unauthorized copies and/or report such usage. Such subversions can include modification of licensing control logic (i.e. making a copy work) or the complete stripping and modification of digital content to remove all licensing and protective logic from it.
Before subversion becomes possible, the protective system for the digital content is disabled. This form of attack usually begins by using tools that provide an understanding of the protective system, and from that understanding, successful alterations and subversions of system functions become possible. The problem is exacerbated by the fact that many of the more significant tools used for subversion are powerful and legitimate tools commonly used in the software and hardware development industry; for example In Circuit Emulation (ICE) tools, debugger tools, and disassembly tools. Such tools are legal to own, easy to obtain, and continue to become more advanced and effective. Examples of these widely known and deployed tools include SoftIce, available from NuMega, any of the debuggers available from Microsoft or Borland, the powerful protection-removal tool ProcDump, a shareware tool available free by download on the Internet, and many others.
A number of mechanisms are currently available that may be used to limit or prevent the execution of certain tools, such as debuggers and ICE tools. The primary method of detection of a subversion tool is usually tool-specific, where overt aspects of a specific version of a specific tool are known (filenames, in-memory file signatures, execution-time strings in system data structures) and actively sought.
The most popular among methods that use techniques such as those described above are only marginally effective today. In one example, a popular implementation of a protective system searches for the NuMega SoftIce tool by such overt means. There exists a specially crafted stealth-layer known as “Frogs Ice” that is created solely to hide SoftIce. When this popular protective implementation is debugged with SoftIce when hidden by Frogs Ice, the protective system fails to see the threat and is subverted.
Conventional implementations of some significance that protect digital content using other approaches include methods that obfuscate the operation of a system and related data payload. This is usually accomplished by means of sophisticated encryption and/or information hiding schemes, some involving client-server models. These approaches are usually quite strong in the areas of encryption and hiding, but may be compromised by the skilled memory lifting of the information after it has been found and decrypted during the legitimate-use operation of the protected component. Information is most vulnerable when it has been made ready for normal usage because it is much more complete and immediately usable in that form.
Despite such developments, no current mechanism of this type has proven to be entirely effective. The reasons for this are apparent; while encryption is an important part of any protective system, it should not represent the sole, or primary, method of protection, since encrypted content must at some time be decrypted for use, and may, for example, be subject to piracy following decryption. Such methods, when used as the sole protective means, are vulnerable to approaches that analyze and then modify the mechanism, and over time, with some persistence, can be broken. Any changes to the algorithm (cracking the decryptor for example) or attacks directly on the encrypted payload (using a computer system to crack the encryption), although theoretically effective, are not the attack of choice when a payload is of interest to an intruder; these approaches are much more challenging and take much more time than simply stealing the data after it has been decrypted by the protective system during normal use. The common denominator of successful attacks against such protective mechanisms come in the form of tools that attack this weakest link in the chain, as in the “ProcDump” memory-lifting tool, or other memory lifters or memory dumpers. This class of web-distributed enhanced dumping tools have a great many features which include the ability to steal-after-decryption any 32 bit executable on any Windows-based operating system, to restore the Import table and PE header, reoptimize lifted executable, and even establish a client-server relationship with a second dumping tool which is awaiting the (specifically timed) opportunity to lift a target executable. These functions require some degree of sophistication to understand and use but enable a somewhat experienced intruder to steal almost any such protected payload at the moment of authorized usage of the payload. Tools such as memory lifters or memory dumpers are an example of the kinds of attack mechanisms that have rendered most content protection schemes for digital content, especially executable content, much less effective. This is true especially since 1998, when these tools and associated reverse-engineering techniques became widely disseminated on the World Wide Web.
In view of the fact that digital piracy is a widespread problem, and one that has been around since the ability to copy or record digital information has been provided to consumers, there are a large number of historic countermeasures of varying degrees of effectiveness. Each generation of these solutions has a causal effect on the creation of reverse engineering tools and techniques to counter it. In most cases these anti-piracy methods have been subverted, or easily compromised when desired, by such opponent “hackers” tools and techniques. Over the years, the tools and techniques of such attacks have improved to the point where much of contemporary anti-modification technology can be bypassed by determined intruders within hours, or at most, days. Any number of public domain references to these reverse engineering tools and techniques, even entire groups of people dedicated to the task of reverse engineering and defeating protective inventions such as those described herein, may be found on the World Wide Web simply by typing such phrases as “reverse engineer” or “disassemble executable” into any search engine.